In the 25 years that Helen Cahill kept the books of her small business near Melbourne Airport, she never had trouble banking online.
- Helen Cahill mistakenly logged into a fake Bendigo Bank website and had $30,000 stolen
- There have been more than 35,000 reported attempts to obtain personal information about Australians since January
- Scam victims are encouraged not to be embarrassed and to report it promptly
So, on a particularly busy afternoon on May 26, when she sat down at her desk, she thought it was odd that it was taking so long to log on.
She had searched Google for “Bendigo Bank” and clicked on the first link that appeared, which was a Google ad for the bank.
She then entered her login details, including a two-factor authentication PIN.
What Ms Cahill soon discovered was that she had clicked on a malicious advertisement instead of the Bendigo Bank website and a scammer had gained access to her account.
“It was probably within two minutes that I logged on to the real Bendigo bank… and realized that $30,000 had been taken out of my account,” Ms Cahill said at 7.30am.
“I just felt really violated… I thought, ‘How can this happen? I really feel like a very cautious and cautious person when I’m banking.”
Ms Cahill quickly phoned the bank to report the incident and also spoke to the IT company that deals with her company’s computers, called Ignite Systems.
They were able to retrace the steps taken by Ms Cahill and discovered that the site had a fake URL that was easy to quickly miss, referring to “bendigohank” instead of “bendigobank”.
“It looked like a replica of the authentic Bendigo Bank website,” Ms Cahill said.
“My take home message would be: it can happen to anyone.”
After days of constant calls and follow-ups from Ms Cahill, Bendigo Bank was able to return the funds within a week.
But she remains concerned that a malicious site has been promoted on Google without the bank notifying customers of its existence.
“At first I was very annoyed, then I became very angry that a real Google ad could be linked to a fake online banking site.
“I just don’t understand how…the bank didn’t know. I think something has to happen with Google, so they can run these ads.”
Bendigo Bank said in a statement that after the advertisement was discovered, its “Financial Crimes Team alerted the owner of the platform and had the fraudulent advertisement removed.”
Cybersecurity expert Dave Lacy told 7:30 a.m. that Google’s ad scams are particularly sophisticated.
“They use third-party, what we call, advertising affiliates who have the ability to almost manipulate or modify ads after passing a verification process,” Lacy said.
Google did not explain how the fraudulent ad showed up in its search engine.
The tech giant said in the last year alone it blocked or removed nearly 60 million ads worldwide for violating financial services policies, and said it is constantly developing new tools to protect its users against fraudsters.
Scams on the rise
There have been more than 35,000 reported attempts to obtain personal information about Australians since January.
The Australian Cybersecurity Center reported that cybercrime cost the economy an estimated $33 billion in 2021.
The national identity and cyber-assistance service IDCARE has never been so active, according to its director general, Mr. Lacy.
“I don’t think there’s a lot of crime that can be said to come into the family home almost on a daily basis,” he said.
“[Scammers’] the whole thing is about deception and they are well trained and versed in it.”
A popular method used by scammers is something called “phishing”, where things like an email impersonating a bank or phone company are used to trick people into sharing their personal information.
“Smishing” is a similar method, involving text messages.
“So smishing is done through text messages and phishing more generally through email or phone calls,” Lacy said.
“What’s yours is also ours”
One of the leaders of a group involved in a prolific scam operation was jailed in May after duping dozens of Australians as large swaths of the population were locked down by COVID-19 in 2020.
Court documents reveal the group created fake identities on a website they called the ‘1-stop-rort-shop’, boasting online of software that could evade SMS spam filters .
Self-promotional videos of their exploits, which were seized by police as part of the operation, showed special logos and wads of cash accompanied by threatening music.
“In this particular case, we would say the offenders were quite skilled,” Cyber Command Acting Assistant Commissioner Chris Goldsmid said at 7:30 a.m.
“We estimate they sent over 20 million text messages… That’s a significant number of people who could have potentially had their information stolen and access to their bank accounts.”
The “rort corp” motto was “what’s yours is also ours”.
Police found the men had access to staggering amounts of personal information, including secret online questions and answers.
In one instance, a member of the group bragged about sending “13 sets” of personal and financial information, including bank account user numbers, account passwords, full names, credit cards, expiration dates and CCV numbers.
The union had dozens of identities on tap and templates for health insurance cards.
“It’s difficult for law enforcement and agencies to apply traditional deterrence and response tools,” Lacy said.
“Certainly when arrests do occur, we cherish and appreciate that.”
The newly elected Labor government has pledged to crack down on cybercrime, including introducing new industry codes for banks and telecoms operators.
Experts place a strong emphasis on preventing crime in the first place and acting quickly when people’s accounts are compromised.
“If you think you’ve been scammed, don’t be embarrassed. Contact your bank,” Acting Assistant Commissioner Goldsmid said.
“The sooner you report it, the better the chance… of getting that money back.”
Watch this story tonight at 7:30 p.m. on ABC TV and ABC iview.